


Institutional Archive of the Naval Postgraduate School 





Calhoun: The NPS Institutional Archive 
DSpace Repository 


Theses and Dissertations 1. Thesis and Dissertation Collection, all items 


1974 


Reliability analysis of phased missions 


Ziehms, Harald 


http://hdl.handle.net/10945/17209 


Downloaded from NPS Archive: Calhoun 


| Calhoun is the Naval Postgraduate School's public access digital repository for 
J (8 D U DLEY research materials and institutional publications created by the NPS community. 
FW i Calhoun is named for Professor of Mathematics Guy K. Calhoun, NPS's first 


Ny | KNOX appointed — and published — scholarly author. 
| In D 
| LIBRARY Dudley Knox Library / Naval Postgraduate School 
411 Dyer Road / 1 University Circle 
Monterey, California USA 93943 





http: //wwwenps.edu/library 


RELIABILITY ANALYSIS OF PHASED MISSIONS 





Harald Ziehms 





EP — 


Library 
Naval Postgraduate School 
Monterey, California 93940 





i 
ws 


NAVAL POSTGRADUATE SCHOOL 
ba 


Monterey, Galifornia 










RELIABILITY ANALYSIS OF PHASED MISSIONS 


by 









Harald Ziehms 


December 1974 


+ 


Ja) Dee ESary 


1104 035 


Approved for publica release; distribution unlimited. 





E Thesis Advisor 








SECURITY CLASSIFICATION OF THIS PAGE (Whon Date Entered) 


REPORT DOCUMENTATION PAGE dU ndi: 


1. REPORT NUMBER 2. GOVT ACCESSION NO, 3. RECIPIENT'S CATALOG NUMBER 









5. TYPE OF REPORT 4 PERIOD COVEREO 






4. TITLE (and Subtitie) 


Reliability Analysis of Phased Missions 






Dissertation (December 1974) 














6. PERFORMING ORG. REPORT NUMBER 





7. AUTHOR(e#) 8. CONTRACT OR GRANT NUMBER(a) 


Harald Ziehms 


9. PERFORMING ORGANIZATION NAME ANO ADORESS 












TASK 





10. PROGRAM ELEMENT, PROJECT, 
AREA & WORK UNIT NUMBERS 








Naval Postgraduate School 
Monterey, California 93940 







12. REPORT OATE 


December 1974 


13. NUMBER OF PAGES 


68 


1S. SECURITY CLASS. (of thie report) 


11. CONTROLLING OFFICE NAME ANO AOORESS 










Naval Postgraduate School 
Monterey, California 93940 








4. MONITORING AGENCY NAME & ADDRESS (/f different from Controlling Office) 






Naval Postgraduate School Unclassified 


Monterey, California 93940 


15a. DECLASSIFICATION/ DOWNGRADING ; 
SCHEOULE 


16. DISTRIBUTION STATEMENT (of thie Report) 





Approved for public release; distribution unlimited 











| 17. DISTRIBUTION STATEMENT (of tho ebetract entered in Block 20, if different from Report) 





18. SUPPLEMENTARY NOTES 


This research was partially supported by the Office of Naval Research (NR042- 
300) and the Strategic Systems Project Office (TA 19422) 
Thesis Advisor: Professor J. D. Esary, Autovon 479-2780 


e SS ca A A de de RR Rl 


19. KEY WOROS (Continue on reverse sido lí neceesary and identify by block num ker) 


Reliability - Phased Missions - Multi-Phase Missions - Coherent Systems 
Hazard Transform 


20. ABSTRACT (Continue on reverse side Il necessary and Identify by block number)) 

In a phased mission the relevant system configuration (block diagram 

or fault tree) changes during consecutive time periods (phases). Many systems 

are required to perform phased missions; a classic example is a spacecraft. 
The reliability analysis of a phased mission encounters complexities not 

present with just one phase, but can be transformed into an analysis of an 

equivalent synthetic single-phase system. The transformation has a potential 

for direct application, but can also be used to sttudy refined computational 

methods and to derive approximations to, and bound: mission reliabilit 


| 
| 
| 


vo on, Ve 





ORM : 
DD 1 DER 73 1473 EDITION OF I NOV 65 IS OBSOLETE 

re S/N 0102-014: 6601 "€———————— 
sd D i | SECURITY CL &SSIFICATION OF THIS PAGE (When Data Bnterec) 





Reliability Analysis of Phased Missions 
by 


Harald Ziehms 
Korvettenkapitaen, Federal German Navy 
Ing. (grad.), Technische Akademie der Luftwaffe, 1966 
M.S., Naval Postgraduate School, 1972 


Submitted in partial fulfillment of the 
requirements for the degree of 


DOCTOR OF PHILOSOPHY 


from the 
NAVAL POSTGRADUATE SCHOOL 
December 1974 


een) ae / ae 








Library 
Naval Postpraduat:: 
Monterey, Calitor 


ABSTRACT 


In a phased mission the relevant system configuration (block 
diagram or fault tree) changes during consecutive time periods 
(phases). Many systems are required to perform phased missions; a 
classic example is a spacecraft. 

The reliability analysis of a phased mission encounters complexi- 
ties not present with just one phase, but can be transformed into an 
analysis of an equivalent synthetic single-phase system. The trans- 
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l. INTRODUCTION 


1.1 BACKGROUND 

Among the various areas of applied probability theory and statis- 
tics which jointly have become known as reliability theory, structural 
reliability. is the study of qualitative and quantitative relationships 
between the reliability of (redundant) systems and the reliability of 
their components. Reliability in the sense Uc here is the "probabi- 
lity of a device performing its purpose adequately for the period of 
time intended and the operating conditions enco mB cd is 

The problem of constructing reliable systems by using relatively 
unreliable components redundantly was first studied by von Neumann 
[1956]. Moore and Shannon [1956], inspired by the von Neumann paper, 
analyzed relay circuits in which all relays have the same reliability. 
They proved that the reliability of the circuit is an S-shaped function 
of the common relay reliability, and subsequently showed that by pro- 
per incorporation of redundancy, arbitrarily reliable circuits can be 
constructed from arbitrarily unreliable elements. Their analysis pro- 
ceeded from a mathematical result wnich has come to be called the 
"Moore-Shannon inequality." Birnbaum, Esary, and Saunders [1961] 
generalized the concepts and extended some of the results of Moore 
and Shannon, including tne S-shapedness property, ito the large class 
of "coherent" Systems, using Boolean functions to describe the func- 
tional organization of Heaney, Esary and Proschzn [1963] further 


extended the lfoore-Shannon inequality to the case mf unequal component 


reliabilities, and obtained convenient upper and lmwer bounds on 





system ES DE With the subsequent introduction of the con- 
cept of "system Eun [Esary and Marshall 1964], a theoretical basis 
for the reliability analysis of complex systems was complete. 

Recent and ongoing research seems to follow mainly two lines. On 
one hand, the theoretical basis is broadened, more realistic and hence 
more complex situations are considered, and attempts to do without 
some of the restrictive NS presently required are made. On 
the other hand, approximation techniques and computational procedures 
are explored with a view toward their implementation on digital com- 
puters. 

One specialized area of interest is the extension of the basic 
problem of structural reliability to the situation in which the func- 
tional organization of a system changes with time. This situation, 


called the phased mission problem, is the topic of this thesis. 


1.2 THE PHASED MISSION PROBLEM 

The reliability analysis of phased missions has received attention 
in the basic papers of Rubin [1964] and Weisberg and Schmidt [1966] 
which present procedures to approximately predict mission reliability 
and crew safety for manned spacecraft. These authors introduced a 
method of "cut ei which can be advantageously used to 
simplify the structure of a system prior to beginning reliability 
calculations. More recently, a similar approach is described in the 
United States Navy reliability manual NAVORD OD 29304 Revision A 
[1973].? Muth [1964], in an unpublished report, approached the 


10 
problem from a different angle, concentrating on "success paths." 








The phased mission problem as considered here refers to the 
following situation: 

A system consists of several components. The components perform 

independently of each other, and each of them can be in one of 

two states, functioning or failed. No component can be repaired 


or replaced, and each component has A The system performs 





a mission which can be divided into consecutive time periods, or 
phases. During each phase it has to accomplish a specified task. 
Thus the system configuration (a subset of the components and their 
functional organization which can be represented, for instance, by 

a block 'diagram or a fault tree) changes from phase to phase. As 

is the case with individual components, only two states of the 

system are recognized, functioning or failed. 
With this situation in mind, the problem itself can be stated as: 

Given the survival characteristics of the components, the rele- 

vant system configuration in each phase, and the duration of the 

. phases, what is the probability that the system will function 
throughout the mission, i.e. the mission reliability for the 
system? : 

The classic example of a phased mission is the voyage of a space 
vehicle, but many other api tanger are also required to perform phased 
missions. To illustrate the ideas and methods of this thesis, the 
following hypothetical TA TO will frequently be considered. 

Example 1.1. A fire department has three vehicles: 

- a multipurpose fire engine (M), 

=- a tanker (T), 


= ai light fire truck (L). 
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The firefighting equipment of a small chemical factory located 
nearby consists of: 

- a sprinkler system (S), 

- a hydrant (H), 

- a special apparatus for fighting chemical fires (F). 

The plant safety engineer wonders whether the combined hardware 
resources of the fire department and the factory are sufficient to 
fight a fire in the factory. He consults the fire chief, and together 
they conclude: 

(1) During the initial stage of a fire either the multipurpose 
engine, which carries a small water supply, or the light truck, pro- 
vided the sprinkler system works, suffices to evacuate the building. 

(2) To contain the fire the factory's special apparatus is 
needed, together with some auxiliary capability from the multipurpose 
engine or the light truck. Water can be supplied to the special 
apparatus and the department's units by the hydrant, or if it is out 
of order, by the tanker through pumps in the multipurpose engine. 

(3) After the fire has been contained it can be controlled 
either by the special apparatus or the multipurpose engine. Again, 
water can be supplied by the hydrant or by the tanker together with 
the multipurpose engine. [O 

The firefighting system described above has six components, and 
it has to perform a three-phased mission. If it fails in even one 


of the three phases, the mission is not accomplished. 


1.3 SOME COMPLEXITIES OF THE PHASED MISSION PROBLEM 
The reliability analysis of a phased mission encounters some 


complexities which are not present when only one phase is considered. 
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For one thing, it is not correct to do a standard reliability 
analysis for each phase separately, and then multiply the resulting 
phase reliabilities together, even if the age of the components at 
the beginning of each phase is taken into account. The implicit 
assumption involved, that each component is functioning at the begin- 
ning of a phase when the system has functioned throughout the previous 
phase, is not necessarily true. The following example illustrates 
this point. 

Example 1.2. A system with two independent components, C 


Į 


and C is designed for a two-phased missicn. In order for the 


27 
system to perform the required tasks, at least one component has to 


function through phase l and both components have to function through 


phase 2. The block diagram for this system is 





phase 2 
For k-1,2, let Ti] denote the probability that component Ci 
functions through phase 1, and Tio denote the conditional proba- 
bility that component Ck functions through phase 2, given that it 


has functioned through phase 1. The system reliability for phase 1 


is m 9 "31 "To" 44721? 


2, given that both the components have functioned through phase 1, 


and the system reliability for phase 


is T9 = 9199 * Multiplying these together would lead to the 


mission reliability 


T2 





T= mt," CM + Tag 799273072 


This is greater than the correct mission reliability, which is 


um 1 12721722 

since mission success is achieved if, and only if, both components 
function throughout both phases. D 

The multi-phase case is potentially different from the single- 
phase case in another respect. With just one phase, if each component 
has a life and the system configuration is coherent, then the system 
has a ET In the multi-phase case this is not necessarily true. 
Even if all components have lives and all phase configurations are 
coherent, the system may not have a life. How this can happen is 
shown in the next example. 

Example 1.3. A two-component system is designed for a two-phase 


mission with the phase configurations represented by the block 


diagram 


E 


phase | phase 2 


If EE k=1,2, j=1,2 are defined as in Example 1.2, then there is 


a probability (1 - that the system fails in phase l, but 


7117721722 
functions again in phase 2. In this sense the system does not have 
a elite. ai 


The possible resurrection of a system in a later phase does not 


present a problem in the reliability analysis of phased missions if 
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it is assumed that the life of the system ends at the time of its 
first failure. This assumption is reasonable since failure of the 
system in even one phase usually prevents mission success, and will 
always be made here. By contrast, the possible resurrection of a 
component would pose a much more serious problem, and is ruled out by 


the assumption that all components have lives, 


1.4 NON-ANALYTIC WAYS TO EVALUATE PHASED HISSIONS 

Traditionally, the reliability of complex systems performing 
multi-phased missions has been estimated by Honte Carlo ee For 
large systems, however, mission simulation and determination of success 
or failure are time-consuming even wnen digital computers are employed. 
Furthermore, Monte Carlo metnods require a great number of simulation 
replications before high confidence limits can be placed on a2 narrow 
reliability band. It is therefore not surprising that these methods 
proved to be excessively expensive in terms of both, time and money, 
especially when parametric studies must be ON 

Another metnod of analyzing phased missions is by considering the 
distinct combinations of component performances which lead to mission 
success, i.e. the success paths. To see how this works, assume that 


the system has n components C on and is designed for an 


ques ão 


m-phased mission. Let 4 be the maximum number of phases component 


K 
C. survives, 2,=0,1,...,m, k=1,...,n. Each of the n-tuples 
Coe to) then represents an event which implies either mission 
success or failure, depending on the functional organization of the 


system in the m phases. The probabilities of the events can be com- 


puted from the component survival characteristics. Since the events 
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are disjoint, the probability of mission success, i.e. the relia- 
bility of the system for the mission, is the sum of the probabilities 
of the success path events. 

This method is straightforward and could easily be developed into 
an algorithm for computer implementation. In addition, it has the 
advantage that with a slight modification not only the mission relia- 
bility but also the probability of the system to survive the first j 
phases of its mission, j=l,...,m, can be obtained. However, the 
number of n-tuples to be considered, (m+1)", is such that economic 
reasons prevent its use even for moderately sizea systems performing 
only a few phases. 

A refined computational method based on success paths was developed 
by Muth [1964]. His approach consists of setting up phase matrices of 
components and success paths, and collapsing these matrices successively 
into a single matrix which represents system success at the end of phase 
j, j=1,...,m. If the system can be broken up into many small sub- 
systems which have no components in common and thus can be analyzed 


separately, this approach makes reliability computations feasible. 


1.5 CONTENTS AND SUMMARY 

In this thesis, the phased mission problem is approached analytic- 
ally. The verbal statement of the problem in en 1.2 is translated 
into mathematical terms in Chapter 2. The resulting model is an equa- 
tion which relates mission reliability to the survival characteristics 
of the components, the phase durations, and the phase configurations. 
However, this equation, i.e. 2.3.1, neither provides much insight into 


the problem nor can it easily be used to obtain numerical results. 


l5 








In Chapter 3 a transformation is exhibited by means of which 
a multi-phase mission can be reduced to an equivalent synthetic 
single-phase system. Direct applications of this transformation are 
discussed in Chapter 4. They include a method to adapt existing 
algorithms and computer programs to the calculation of exact mission 
reliabilities, and a technique to simplify phased mission problems 
prior to beginning reliability calculations. 

A troublesome byproduct of the transformation is an apparent 
increase in the number of components of the system to which it is 
applied. This may aggravate computational problems and make the cal- 
culation of the exact mission reliability infeasible, Consequently, 
it may be necessary to resort to approaches which require less com- 
putational effort. Chapter 5, therefore, is devoted to a study of 
bounds on mission reliability. Several upper and lower bounds are 
derived and compared with each other, both in terms of precision and 
the amount of computational effort required, and an algorithm for the 
"best" lower bound is presented. --An approximation technique which 
has successfully been applied to single-phase systems is based on the 
approximate hazard transform of Esary and Hayne [1973]; its potential 
for the phased mission problem is discussed in Chapter 6. 

Finally, possible extensions of the methods presented in this 
thesis, and areas where further research is needed, are indicated in 


Chapter 7. 
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2. MATHEMATICAL FORMULATION OF THE PHASED MISSION PROBLEM 


The starting point of an analysis of the phased mission problem 
described in Section 1.2 is a mathematical model which quantitatively 
relates the variables of interest (the survival characteristics of the 
components, the functional organization of these components in the 
various phases of the mission, and the duration of the phases) to 
mission reliability. Such a model is developed nere in three steps. 
The analytic tools employed are extensions of those used in standard 


reliability analysis. The underlying assumptions are made explicit. 


2.1 A MODEL FOR COMPONENT PERFORMANCES 
The system under consideration is assumed to have n components, 


labelled C e... Each component C. has a life, and hence its 


1? 


time to failure, or life length, is well defined. Since it depends 
on many factors and cannot be predicted accurately, it is expressed 


by a non-negative random vara tem i The E e that the 


k' 
components perform independently of each other formally means that 


T vT are stochastically independent. 


1º 


For each component C. and all times tz0, let X, (t) be a 
Bernoulli random variable defined by 


l if component € functions at time t, 


k 
X, (t) = 


O otherwise. 
The random variable X, Ct) is called a performance state indicator 
variable, and the stochastic process {X, (t), t20} is the performance 
process of the component Cy Since each component has a life, this 


process has the properties: 
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\ 


a) X(t) Q <==> X, (s) 


1 <==> X, (s) 


Os on 
oat) 


b) X, (t) je SE 3I t: 


Thus a sample path of a performance process is non-increasing and 


continuous from the right, as indicated in Figure 2.1. 


X (t)=1 
k 





e e 9 oe a e e o e 


Figure 2.1. Performance process sample 


path, component Cr 

For each t20, let X(t) = (X, (t), ...,X. (t)) be the performance 
state indicator vector of the set of components. Then the stochastic 
process {X(t),t20} is called the joint performance process of the 
components. 

The joint performance process is a mathematical description of the 
component failure times, and as such the first step in the development 
of the model. It is compatible with the use of structure functions 
to represent system configuration within the phases, which is discussed 


in the next section. 


2.2 A MODEL FOR SYSTEM CONFIGURATIONS 
It is assumed throughout this thesis that the state of the system 


(i.e. functioning or failed) is completely determined by the states of 
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its Bones wk Then the system configuration in each of the 
phases can be described by a block een or a fault a for 
conceptual purposes, or by a structure function for mathematical 
analysis. A structure function is a binary function q of binary 
variables Xj ee eX which relates the performance state of the 
system to the performance states of its components; in particular 
$(x) - $65. 05X.) = 1 if the system functions, and d(x) = 0 
otherwise, where x, = 1 if component C functions, and x, = 0 
otherwise. 

It is further assumed that each phase configuration of a system 
is nen, i.e. can be represented by a block diagram or a fault 


tree using AND and OR gates. If a configuration is coherent, then 


its structure function Q has the properties: 


a) ¢(x) 2 $ (y) whenever x, 2 Yy Ka lets, E 
$ CONO) 


+ O 


0. 


02:1) b) (0) 


c) $Q) 


l. 


To illustrate, a block diagram for the mission described in 


Example 1.1 is shown in Figure 2.2, and a fault tree in Figure 2.3. 





Figure 2.2. Block diagram for the mission 
of Example 1.1. 
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The structure functions for the system of Example 1.1 are: 


for phase 1, $1 = Xy Y Xp 
for phase 2, $5 = Xp y y M x, ) N Xp) > 
for phase 3, $ = Xy Y Xy Ag V Xp) - 


The symbol v is the arithmetic OR operator, i.e. 


L 35x l or x, = 1, 


T 2 


O if x, = O and x, = 0, 


or for computational purposes, x, v x DOM O ee 


iI 
1 - (1-x, ) (1-x,) : 
The phase structure functions can be combined with the joint per- 


formance process to achieve a concise mathematical formulation of the 


phased mission problem. 


2.3 A COMPLETE MODEL FOR THE PHASED MISSION PROBLEM 

The mission is assumed to be divided into m phases, and to 
start at time t=0. For j=l,...,m, the time at which phase j ends 
and, except for j=m, the next phase begins, is denoted by E The 
structure function appropriate for phase j is denoted by da 

The event that the system functions during phase j can be 
expressed as to, (X(t,))=1,, and the event that the system functions 
throughout the m phases, i.e. throughout the mission, as 
to, (X(t,))=1,...,9 (X(t ))=15. The mission reliability for the system 
is the probability that this event occurs. Since 6, Ed), j= eee. TUE 
are Bernoulli random variables, this probability can be expressed com- 


pactly by 
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Pei p= A 6, (CE ,))=1] = E TT,=1º, Et), 


where E denotes expectation. 

Equation (2.3.1) is the complete model for the phased mission 
problem as described in the introduction and as qualified by the 
assumptions made, but neither is it a formula for practical reliability 
calculations nor does it provide much insight into the problem. It 
does, however, indicate that the sequential operation of the phase 
configurations to some extent resemble the operation of subsystems 
performing in series. This fact is essential in transforming the 


phased mission problem. 
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3. TRANSFORMATION OF THE PHASED MISSION PROBLEM 


ace eres mms R80 M ER 


Complexities in the reliability analysis of phased missions arise 
because a component's performance in one phase is not stochastically 
independent of its performance in any other phase. The dependence, 
however, is of a special type. A component functions in phase 3 if, 
and only if, it has previously functioned in phase 1, and in phase 2, 
«es, and in phase j-l, and then functions in phase j. This sequence 
of requirements suggests that the performance of a component in phase 
j can be represented by a series-like structure whose elements repre- 


sent its performance in phases 1,...,j. 


3.1 THE TRANSFORMATION 
Suppose that component C is replaced in phase j by a syster 


of components C 


Be performing independently and in series. 


In block diagram format, the block 


is replaced in phase j by the system 


In fault tree format, the input event C (failure of component C 


k 
is replaced in phase j by 
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Let U ‘ites 


kl? be independent performance state indicator 


kj 


variables for the components We eye with 


P[U, 1 71] = P[X, (t,)=1) 
(3.1.1) 


BZ IE) emcee) |X ne) =e i-2,...j. 


Then P[x (t,)=1] T U ‚u, and thus 


ar 


"SE 
Xet ) u Vit? .. as 3 
where =°" means "is stochastically equal to" or, less formally, 


"has the same distribution as." Thus the original component and the 


substituted system have, as of the end of phase j, the same 
reliability. 

The preceeding observations suggest that a transformation of the 
phased mission problem can be accomplished by 


a) Replacing, in the configuration for phase j, j=l,...,m 


> 9 


component C k=1,...,n, by a series system in which the 


k? 
components ess os perform independently, with the pro- 
babilities of functioning given in (3.1.1). 


b) Considering the transformed phase configurations to be sub- 


systems which operate in series. 


24 





The resulting new system, which has (at most) n*m independent 
components, is the equivalent system. As will be shown later, the 
ordinary reliability of the equivalent system is the same as the 
reliability of the original system for its phased mission. 

The block diagram for the equivalent system arising out of Example 
1.1 is given in Figure 3.1. A comparison with the block diagram for 
the phased mission shown in Figure 2.2 illustrates how the transforma- 


tion is implemented. 


tronsforme d trensísimoa 
configuration | configuration 2 


| 


transformed 
configuration 3 


Figure ab LE Equivalent system for the 
mission of Example 1.1. 
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3.2 SOME PROPERTIES OF THE EQUIVALENT SYSTEM 

Two important properties of the equivalent system are that it 
performs just one phase, and that it is coherent. The former is a 
direct consequence of step (b) of the transformation. To obtain the 
latter, note that by step (b) of the transformation the equivalent 
system is a series, and hence coherent, structure of subsystems which 
themselves are coherent structures by assumption; their elements are, 
from step (a) of the transformation, series systems of components. 

The result then follows from the fact that a coherent structure of 
coherent structures is coherent. 

These two properties together with the assumption that all com- 
ponents in the original system - and hence all components in the 
equivalent system - have lives imply that the equivalent system has a 
iene Thus the potential difficulties mentioned in the introduction 
and illustrated in Example 1.3 cannot occur in the equivalent system. 

By contrast, another one of the difficulties of phased missions 
mentioned in the introduction does not disappear in the equivalent 
system. Although the m phase configurations operating in sequence 
in the phased mission become m subsystems operating in series in the 
equivalent system - a fact which simplifies the problem considerably - 
the subsystems usually have components in OO and do not function 
independently. Hence the product of the subsystem reliabilities is in 
general not equal to the reliability of the equivalent system, as is 
illustrated by the following extension of Example 1.2. 

Example 3.1. For the mission described in Example 1.2, the 


equivalent system has the block diagram 
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subsystem | subsystem 2 


Letting k=1,2, j=1,2, be as defined in Example ieee and 


nm 
Py 17744? Pro Ta TD? k=1,2, the subsystem reliabilities are 


= T E 


Do 20307253 DAT, SP Po; PPS) 


no cg 1137275355 15099: 


Their product is, except in trivial cases, less than the true 


2709 


system reliability p = which can be found by 


AA 


reducing the block diagram to its simplest form 


The true reliability for the equivalent system does agree with the 


reliability for the phased mission given in Example 1.2. [] 


3.3 MATHEMATICAL FORMULATION OF THE TRANSFORMED PROBLEM 


The transformed version of the phase j configuration functions 
if the event to, UA. 0) 2) occurs, where pw onu 3X 
and uy) y U U UNS) The equivalent system functions if 

eM m Ir IK A 


the event 
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ee... 049,4) = 1 
occurs. Thus the reliability of the equivalent system is 


= PITT -19, (gy, gy 2) F3 1] 


"2 
| 


(3331) 
DN 


It 


3.4 RELIABILITY EQUIVALENCE OF THE ORIGINAL AND THE EQUIVALENT SYSTEM 
It remains to establish that the reliability of the equivalent 
system agrees with the mission reliability of the original system, i.e. 
that p as given by (3.3.1) agrees with p as given by (2.3.1). This 

is done by the following theorem and the subsequent remarks. 
Theorem 3.1. Let Ky yore yk be a non-increasing sequence of 


Bernoulii random variabies, i.e. X/2A,2...2R.. Let Uy». «UL be 


independent Bernoulli random variables with 


P[U,=1] = PIX,=1), 


P[U.=1 PDOCIX-4Wi-2.....m. 
[U,=1] - P[X;-1|]X. ,-1], j-2, 


_st 
Then X X = U ,0U,.U,,...,U.U,...U 


19252009 n m' 


Proof. It is only necessary to show for each non-increasing 


binary sequence X(12X52...2X., P oM Mi cm,.,wethat 
P[X,72x,,...,X -x ] = P[U, =x, U,U,=x,,---,U,U,...U -x ]. 
For the sequence x,=0, X,=0,...,% 20, 


PDAs. AA US =01 


ZU RU U, 20.0.,0,0,2..08=8]. 
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For the sequence x,=1, xj7l,...,xX 7l, 


N 


P[X,=1,...,X, =1] P[X -1|X, ,-1]... 


Re tee Pp 


il 


p[u =1]...PLU,=1] P[U, -1] 
=P[U, =1 ,U¿U,= L; ..,U,U,...U =1]. 


For any other sequence ae JLo. Ls s j=2+1,...,m, 


P[X,=1,...,X,=1,X -0,...,X -0] 


Q PÉ 
= P[X_=0,...X, 17 =0|X, ex SU] P[X, 71, ..., X; -1] 
- P[X, ,,70|X,-1] P[X,71, .. .,X; -1] 
= P[U, ,,-0] P[U,=1,...,U,=1] 
= P[U,=1,...,U,=1,U, ,,=0] 
= P[U,=1,U,U,=1,...,U,U5-..U,=1, 
5 UP MED U -0]. 


IE COLIN S 2. 


From (2.1.1) the sequence of variables X, (t0, S XL (t), which 


indicate the performance of component C. at the end of each phase, 


is non-increasing. Thus for U 15 Um constructed according to 
(3 1.) 3 
st 
X, CX (t5), . X, lt) = Id Um‘ 
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Then, since component failure times, and consequently performance 


processes, are independent, 


EDO D, y. 


~ m~ 


Ey XC), S XC Es 


Since the event ''success in the phased mission” occurs if E ND 
j=1,...,m, and the event "functioning of the equivalent system" occurs 
if e, qv, aya, j=1,...,m, then these two events are 
stochastically equivalent. Thus p as given by (2.3.1) agrees with 


p as given by (3.3.1). 
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4. DIRECT APPLICATIONS OF THE TRANSFORMATION 


ee ë O aa 


e 


The transformation described in Chapter 3 can be used to obtain 
results for the phased mission problem which are of theoretical and 


practical interest. Two of these are discussed below. 


4.1 CALCULATION OF THE EXACT MISSION RELIABILITY 

Several computational Mero are known for the numerical 
evaluation of system reliability in the single-phase case. Based on 
them, computer e es for reliability analyses have been developed. 
The transformation provides, in principle, a way to adapt these methods 
and programs to the calculation of mission reliabilities in the multi- 
phase case. The necessary inputs are the phase configurations and, 
phase by phase, the conditional probabilities that the components sur- 
vive the phase, given that they have survived the previous phases, i.e. 


the conditional component phase reliabilities 


T P[X, (t,)71], 
(4.1.1) 
m = P[X, (t) -1|X, Ct; 71], IE 
k=1,...,n. From (3.1.1) the conditional component phase reliabilities 


are the reliabilities of the components in the equivalent system. 
Computer programs could be adapted to accomplish steps (a) and (b) of 
the transformation internally, and then to find the reliability of the 
equivalent system which by Theorem 3.1 is the mission reliability for 
the original system. 

Theoretically, this approach eliminates all difficulties inherent 


in the phased mission problem, because it reduces the reliability 
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analysis of a system performing a multi-phase mission to the standard 
reliability analysis of a single-phase system. It may, however, not 
always be a practical or an efficient approach. Realistic systems 
usually have so many components to start with that when the transfor- 
mation is performed with its concomitant BLATY in the number of 
components in the equivalent system, the costs - in terms of computer 
time and memory - of calculating exact mission reliabilities are 
excessive. Frequently this is the case even for single-phase missions. 
Most existing reliability analysis programs therefore are designed to 
provide only approximations to system reliability, and it is not 
always clear whether such an approximation is conservative or optimistic. 
Thus the direct approach, i.e. applying the transformation and then 
using an existing computer program, is not necessarily the best solu- 
tion to the phased mission problem. 

Different approaches to the assessment of mission reliability which 
avoid some of the problems mentioned above will be discussed in Chapters 


5 and 6, after an additional direct application of the transformation 


has been presented. 


4.2 THE CUT CANCELLATION TECHNIQUE 

The transformation can provide a simple rationale for the cut 
cancellation technique of Rubin, Weisberg, and Schmidt. Conversely, 
cut cancellation can result in an advantageous simplification of the 
earlier configurations of a phased mission, prior to any implementation 
of the transformation. | 

For instance, the sequence of phase configurations in Example 1.2 


turned out to have the mission reliability p= 711732721725 * Using 








notation introduced in Example 3.1, i.e. defining the (unconditional) 


component reliability a as the probability that component Cr 


survives from the beginning of the mission through the end of phase j, 


II 


(4.2.1) (yg 7 PIX, Cc 1] Maga a 


k=1,...,n, this mission reliability can be written as p = P19P 99º 


The sequence of phase configurations 





phase | phase 2 


has the same mission reliability. In Example 1.2 the only minimal 


cut set in phase i, 1C,,C contains the phase 2 cut sets (c,j 


DUE 


and {c,}. Thus iC, Cy} can be "cancelled" in its phase, leaving 
a configuration which can never [Ende 

The minimal cut sets of a (coherent) system are the minimal (in 
the sense of set inclusion) combinations of components which by all 
failing cause the system to fail. Every coherent system can be viewed 
as a series structure of subsystems, each of which consists of the 
components in a minimal cut set acting in ELI Equivalently, 
the configuration of every coherent system - and, in the context of the 
phased mission problem, every phase configuration - can be described 
by a complete list of its minimal cut sets. 

Ihe rule for cut cancellation is: 


À minimal cut set in a phase can be cancelled, i.e. 


omitted trom the list of minimal cut sets for that 
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phase, if it contains a minimal cut set of a 
later phase. 
A slightly more typical illustration of how cut cancellation works 
is given in the following example. 


Example 4.1. A mission has the phase configurations 





The minimal cut sets are: in phase 1 (C, Jj (65,04), 

in phase 2 {C, } {C, ,C,}. 
The phase 1 cut {C,,C,} contains the phase 2 cut {C,}, and so can 
be cancelled in phase l. No cancellation results from the fact that 
the phase 2 cut {C, ,C4) contains the phase 1 cut tci) because cut 
cancellation is not a symmetric procedure. 


After cancellation the sequence of phase configurations reduces to 





phase! phase 2 


34 








It is easy to verify that both sequences lead to the same mission 
reliability by comparing their equivalent systems. [) 

The use of cut cancellation is justified by the theorem below. 
In its proof, the symbol V is the repeated OR operator; for binary 


variables x EX 


joo n 


n 
= X NN X24 Vau LX ,} 


re em a 


or, for computational purposes, 


n T n 
Vox iS er 


Theorem 4.1. Cut cancellation does not affect mission reliability. 
Proof. Assume without loss of generality that a system performing 


a phased mission contains a minimal cut set {C CC 0) 


ELM a lee 
in the configuration of phase h, and a minimal cut set (6,,...,C] 
in the configuration of phase i, i»h. From (3.3.1) the reliability 


of the equivalent system is, in shorthand notation, 


pS E Pdo rd rro Pd n° 


Let $, and $; denote the structure functions of the subsystems 
that remain when the above minimal cut sets are omitted in the trans- 
formed configurations of phase h and phase i, respectively. Then 


Á- S h 
(4.2.2) 


© 
| 


av ti 
Q7 9 UU TIS: 


Ihe reliability can now be expressed as 
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-- r 1 
Vs Tal dt 


a" = S h 
p=E babae e An Veal ljk?) Oy 


m 


H 


- - S h r i 
E A Tl Ve Ta) 


By the laws of Boolean algebra, 


S h r i 
(44114240) 4 11,240? 


N 


VEIT A Y pg S, 
= VP 
Therefore, 
p=E $465. Ope e RO TT RE 


= E br dore ede eedse eed i 


a m 


i.e. the minimal cut set can be omitted from the transformed configura- 
tion of phase h without changing the reliability of the equivalent 
Ts The result then follows from Theorem 3.1. U 

Remark 4.2. An even stronger result than Theorem 4.1 can be 
achieved. If (as henceforth will be done) J is used to denote the 
structure function of the phase j configuration after cut cancellation 
has been performed to the greatest possible extent, j=l,...,m, then 


by an argument along the lines of the proof above it can be shown that 
(4.2.3) e E || él. 

Hat Tat 
although it follows from (4.2.2) that for j=l,...,m, 


(4.2.4) $ 


IV 
X 


. 3 


and strict inequality may hold in (4.2.4) for all j except j=m. U 
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As a final illustration of the cut cancellation technique, con- 
sider its effect on the mission described in Example 1.1. The minimal 
cut sets for this mission are, before cancellation: 

in phase 1 {M,L} {M,S} 
in phase 2 {F} {H,M} HT ME 
in phase 3 {F,M} {H,M} {H,T} 
The minimal cut sets remaining after cancellation are: 
in phase 1 (M,S) 
in phase 2 {F} {M,L} 
in phase 3 (F,M) (H,M) (H,T) 
A block diagram for the sequence of simplified phase configurations 


is shown in Figure 4.1. 


a 
am dm = am m œw =a» 





Figure 4.1. Block diagram for the mission of 
Example 1.1 after cut cancellation. 
After cancellation, the transformation can be applied to obtain 
the equivalent system shown in Figure 4.2. This system is considerably 
simpler than the one shown in Figure 3.1, but has the same reliability. 


Reliability computations are simplified accordingly. 
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h o 6 
E 


E M [qve] 





tr ansfor me d transformed transformed 
contiguration | configuration 2 configuration 3 


Figure 4.2. Equivalent system for the mission 
of Example 1.1, after cancellation. 
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3. BOUNDS ON MISSION RELIABILITY 


In Section 4.1 it was shown how the transformation can be used 
directly for the calculation of exact mission reliabilities; it was 
also pointed out why this approach may be problematic. In this 
chapter, bounds on mission reliability are studied. Bounds require 
less computational effort than the exact reliabilities and, although 


not necessarily precise, often suffice for the purpose at hand. 


5.1 BOUNDS BASED ON PHASE RELIABILITY FUNCTIONS 

A tempting procedure to approximate mission reliability is to 
deliberately commit what was Shona to be a logical error when trying 
to find exact reliabilities, namely to compute the reliability of each 
phase configuration separately, and then to multiply the results 
together. There are at least two choices of component reliabilities 
to use in doing this: the conditional component phase reliabilities 


T given in (4.1.1), or the (unconditional) component reliabilities 


kj 
Pkj given in (4.2.1). The first choice leads to estimating mission 


reliability by 


7 m 
(5.1.1) Topp = Tor, Tp) 


and the second choice to estimating mission reliability by 


a m 
5.1.2) P PRF = Tab; 634; Pa) 


where in both cases ae ale m, 8 are’ Che reliability functions for 
the phase een Ra The reliability function of a system with 


structure function ¢ is defined by 
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h(p,, p) = P[0 (G , .. -,X )=1] = Ep (A)... ,X D), 


where X eX are independent performance state indicator variables 


TE 
with P[X =1] = p,, kel,...,n. 

The following theorem shows that (5.1.1) gives an optimistic 
result (cf. Example 1.2), i.e. is an upper bound on mission reliability, 
Berta (5.1.2) gives’ a conservative result (cf. Example 3.1), i.e. 
is a lower bound. 


Theorem 5.1. For m as given by (5.1.1); p 


PRF 
RS 2) mand p asi given by (2.3.1) or (3.3.1), 


PRF 


P PRF 
Proof. The coherent phase configurations have non-decreasing 


EI D 


structure functions from (2.2.1), and U are independent 


by construction. Thus 


IA 


F ME UA...) E 219,09 


M5 1.3) E m (3) 
" IT, ate (U ) , 
so that p< T opr Eron (323.12 and 5.1.1); 
MAS f pi 
The proof that P PRF < p uses standard properties of associate 
random variables. Since rare k=l,...,n, a aer independent 
and thus associated, and $1» j=1,...,m, are non-decreasing, then 
e, qu Pu, j=1,...,m, are associated. Therefore the inequality 


— 
-—— 


z Dj y? N ) 
TE QU E A 


holds, so that tros 3.1.) Jand. (5.1.2). 0 


P PRF 
The method of approximating mission reliability described above 


can also be employed after cut cancellation has been performed. Denoting 


the phase reliability functions of the simplified phase configurations 
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by h., j=l,...,n, the resulting Aroma corresponding to 


j 
"PRE and P PRF are 
(5.1.4) " AO i) 

; PRF-CC ale D on; 
and 

PRF-CC IATA f 

respectively. Again, "PRE-CC gives an optimistic, and PpRF-cc 2 
conservative result, as is shown in the next theorem. 

Theorem 5.2. For Torr-cc 25 given bruta lado e Pprr-cc 28 
given EE. l1. and Ap as given by (2.3.1) or (3.3.1), PPRE-CC < 


pr cc’ 


Proof. The phase structure functions are greater after cut can- 


cellation than before from (4.2.4); thus 
(5.1.6) TE co, (US), = TI." uw), 
j=l j7 ISL 


so that fromm S919) (5.1.3) ANd T 44b. 


« 
P" "PRF-CC 
The JL j=1,...,m are non-decreasing, and therefore the same 


properties of associated random variables used Be lead to the 


inequality 
y y 2 DO O 
Mate VE TT,.,9, © RE O 


The equivalent system has the same reliability before and after cut 


cancellation by Theorem 4.1, i.e. 
O AI A O) 
E Dat; @ Use LO MS GE 1I, € UE UN 9 


so that Eon A ando (5.1.5). 0 


PPRF-CC 
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The four bounds presented so far all presuppose that the phase 
reliability functions 2 or h, are known for all m phases. 
Although to compute them is considerably easier than to compute the 
reliability function for the complete equivalent system, it may still 


be a formidable task. In the following section, therefore, bounds 


are studied which do not involve the phase reliability functions. 


5.2 BOUNDS BASED ON PHASE BOUNDS 
For coherent single-phase systems with independent components, 
Esary and Proschan [1963] have established two bounds on system 
reliability which can be computed without a knowledge of the reliability 
function. In one case, the system is expressed as a series structure 
of subsystems each of which consists of the components in a minimal 
cut set acting in parallel. The reliabilities of all subsystems are 
calculated separately and then multiplied together, the result being 
the minimal cut lower bound. In the other case, the system is expressed 
as a parallel structure of subsystems each of which consists of the 
components in a minimal path set acting in series. Again, the subsystem 
reliabilities are calculated separately, and then the reliability of 
the system is computed as if the subsystems were independent, resulting 
in the minimal path upper bound. (The minimal path sets of a coherent 
system are the minimal, in the set inclusion sense, combinations of 
components which by all functioning ensure the functioning of the system.) 
These two bounds, when applied to each phase separately, can be 
used to approximate mission reliability in the multi-phase case. Let 
hup. and hr Bj denote the minimal path upper bound and the minimal 
cut lower bound, respectively, for phase configuration j, j=1,...,m. 


Using basically the same approach as before, and choosing as component 
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a 


reliabilities the conditional component phase reliabilities n 
in one case and the (unconditional) component reliabilities Pk 


in the other, one obtains the approximations 


a m 
fe. 2.1) ETE TI zihogs 0355-57, 
and 
m 
15.2.2) PPLB Y Ta hp (qot rto Pur) 


which by the following theorem are bounds on mission reliability. 


Theorem 5.3. For m as given by (5.2.1) as given by 


PUB 
1552.2). and p as given by (2.3.1) or (3.3.1), 


^ PPLB 


< < 
Dp MAL PUR. 


Proof. The phase configurations are coherent, thus hr Bj < ur < 


uz? j=1,...,m, by construction, and the inequalities 


(5.2.3) Tz. 0, onu) < TT Bggs 0447-744) 

and 

(5.2.4) ee ee AES i-e ERES DRE) 
q J J ny J J J ny 


hold. Therefore p $m from (5.1.1), (5.2.1) and Theorem 5.1, and 


PUB 
S p from (5.1.2), (5.2.2) and Theorem 5.1. [] 


PPLB 
It is easy to see that if a different choice of component reliabi- 

lities is made, i.e. if the (unconditional) component reliabilities 

are used with the phase minimal path upper bounds, or the conditional 

component phase reliabilities with the phase minimal cut lower bounds, 


the resulting approximations are not bounds. For a mission with m=l 


phases, obviously 


Me m 
Mjqrhups Partt Png) qi al poe 


and strict inequality may hold. On the other hand, for a phased mission 


with the block diagram 
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phase | phase 2 


the exact mission reliability and the approximations are, in the 


established notation, 
A AAA 
ju à Ge. Sig) EP ee 
j=1°LB3 17425 de 10.022 
Theat, Corp oo - 
on 913 *P23 ALA UNA lo 


2 2 : 
so that TT, = hyp; (oy 3 >023) Eip = 11 Pp gg 677 39723)» and strict 


kg, k=1,2, 3=1,2. 


As before, cut cancellation can be performed prior to implementing 


inequality holds if  O«m 


the approximations (5.2.1) and (5.2.2). The resulting approximations 


corresponding to "PUB and Pprp are 
— m e 
Eo "PUB-CC — THzihygg 0152779083 
and 
o PPLB-CC - TT;zi Pra; 14577083? 


where hug; and hr Bj denote the minimal path upper bound and the 
minimal cut lower bound, respectively, for the simplified configuration 
of phase j, j=1,...,m. Theorem 5.4 establishes that these approximations 
are bounds. 


Theorem 5.4. For m as given by (5.2.5), as given 


PUB-CC BCE 


No 2 6), and po as givên by (2.3.1) or (3.3.1), PpLB-CC É PS PUB. CC' 


Proof. The simplified phase configurations are coherent, thus 


EEUU - hh <h RE i mm 
hr Bj E E = Nipi’ j=1,...,m, by construction and the inequalities 
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m,- = R 
2.7) TT 2155 iatt Ta) E Te Bun; Tip Tay? 


and 


m 


m = = 
8552.8) Ihi 01,042 = UPRLA CEEE, 


hold. Therefore p rom! (A) (3:2.5)fand Theorem 


^ TPRF-CC 


DbE2, 'and c =P BromnEgEO 1 15-249) and Theorenis.2. 0 


PPRF-C 


Bounds and are the last to be considered here, 


TPUB-CC PPLB-CC 


although additional ones certainly could be found. Attention is now 


turned to a comparison and assessment of the bounds. 


5.3 COMPARISON AND ASSESSMENT OF THE BOUNDS 

The bounds presented in the previous two sections differ from 
each other in several respects, and it is not obvious which of them are 
suited best for a specific phased mission problem. It is therefore 
necessary to compare and assess them. From an applications point of 
view, the most significant criteria on which to base comparisons of 
bounds are felt to be precision, i.e. closeness to the exact reliability, 
and computational effort, i.e. cost of calculation. These criteria 
will be addressed in turn. 

For single-phase systems, in order to obtain a rough idea of how 
system reliability responds to the achievement of a general, across- 
the-board level of component reliability, and to get an indication of 
the precision of bounds, it is often assumed that all components have 
the same probability of functioning. Then system reliability is a 
function of a single variable - component reliability - and can easily 
be exhibited. To use a similar approach for a system performing a 
phased mission, i.e. to assume that all conditional component phase 


reliabilities are equal, is somewhat more questionable but may still 
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provide an indication of the precision of bounds on mission reliability. 
The following example demonstrates this. 
Example 5.1. Assume that in the mission of Example 1.1 all compo- 


nents have the same conditional phase reliability wm in all phases, 


and consequently the same unconditional reliabilities pam in phase 


3, j=1,2,3. Then the exact mission reliability and the bounds on 
mission reliability, as a function of 7, take on the numerical values 
given in Tables 5.1 and 5.2 below. 

The tables show that for component reliabilities close to one, 
the lower bounds approximate the exact mission reliability quite closely 
This fact has been 


whereas the same is not true for the upper bounds. 


observed frequently in single phase systems. 


: P TPRF “pre-cc "pus "puB-cC 
0.40 0.002 0.025 0.058 0.036 0.077 
0.50 Bord 0.078 0.141 0.119 0.190 
0.60 0.045 0.187 0.274 0.284 0.366 
0.70 LS y 0.364 0.454 0.526 0.584 
| 0.80 0.337 0.596 0.661 0.782 0.797 
0.90 0.668 0.834 0.857 0.955 0.948 
0.95 0.854 0.932 0.938 0.991 0.987 
0.99 0.978 0.989 0.990 1.000 0.999 
Table 5.1. Exact mission reliability and upper 


bounds for the mission of Example 1.1. 
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^ P P PRF PPRF-CC PPLB PPLB-CC 


0.40 0.002 0.0764 0.0336 0.0°30 0.0957 >? 
0.50 Bro 0.001 0.004 0.000 0.001 
0.60 0.045 0.009 OM 0.003 0.010 
0.70 0.137 0.055 0.090 0.030 0.061 
0.80 0.337 0.217 0.277 0.172 0.236 
0.90 0.668 0.590 0.633 0.566 0.615 
0.95 0.854 0.826 0.842 0.820 0.838 
0.99 0.978 0.976 0.977 0.976 0.977 


Table 5.2. Exact mission reliability and lower 
bounds for the mission of Example 1.1. o 


The order among the bounds exhibited in Tables 5.1 and 5.2 is no 
coincidence and does not only hold for this particular example. The 
next theorem establishes some inequalities which are always valid. 

Theorem 5.5. For the bounds as given by (5.1.1), (5.1.2), (5.1.4), 
(5.1.5). (On CPR 22) 005 2:55), and (52.6), Mand p Jas igiven by 
(2.3.1) or (3.3.1), the following inequalities hold. 


<= <= <= 
Se Sn OO Ue 


< < < 
PPLB _ ~ Pprr-cc ~ P — "pre 
= PPRE 


ST 


«PUB 


Proof. The proof consists of a separate demonstration for each 
inequality. 


(1) by Theorem 5.1. 


< 
P "PRE 
(2) PPRF-CC < p by Theorem 5.2. 


(3) T PRF E "PUB AO (2 1) and (5.2.3). 
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(4) PPLE < P PRF CAMINO. 2 2.2), and (5.2:4): 


(5) "PRF-CC < "PUB-CC From SIS 2.5 anda (5.207). 


(6) PPLB-CC = PPRE-CC From sel 9) (5.2 40) and (5.2.8), 


(7) Tpgp < "PRE-CC o and (5.1.6). 


(8) PPRF < P pRF-CC (dome 7 0 Ia MTS 


Finally, since à. = E Hs. m xEtrom (42.4) Mand thus 


< ra q me e “ 
hp; = hy By? j=l,...,m, the inequality 


m miz 
Hoaatro: (61; gua te Paj? = TM, <1 Pg; (1; put D 


holds, so that 


(9) P pL < PPLB-CC from (np) and$(5.2.0) 9 


No general inequalities can be established between and 


TPRF-CC 


and between and This is not too surprising. 


TPUB? PPLB-CC PPRF' 


In the case of the two upper bounds, both cut cancellation and the use 
of phase upper bounds instead of phase reliability functions increase 
the apparent phase reliabilities; and in the case of the two lower 
bounds, cut cancellation and the use of phase lower bounds instead of 
phase reliability functions tend to balance each other. More formally, 
consider first a system where no cut cancellation is possible, i.e. 
$70. lama Tf Eggs aus for some j, then "pPRE-CC PUB 


Brom2(5.2.3), 'and from (5.2.4). Next, consider a system 


PPLB-CC PPRF 
with SL BY ENTER for j=1,...,m. If cuts can be cancelled in any one 
asen er ii 9, for some j, then Topp cc?™pyp and 

PpLB-CCP PRF from COE The relative magnitudes of these four 


bounds, however, may not only depend on the structure of the system 


under consideration, but also on the values of the component reliabilities, 
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This is the case in the system of Example 1.1 and can be seen by 


comparing the values of for 


"bRrF-CC? "pup' PpLB-cc And Pppr 
7150.4 and 7,.=0.8 in Tables 5.1 and 5.2. 


The fact that m and 


PUB "PUB-CC also cannot be compared is 


somewhat counter-intuitive and unexpected, because it causes an un- 
symmetry in the string of inequalities of Theorem 5.5. However, it 
can be shown that even two single-phase systems with structure func- 
tions $4 and $5» $4 705, may have minimal path upper bounds hy B1 
and hy po such that gi Lp: An example is a one-out-of-two 
system and a two-out-of-three system where all components have the 
same reliability p. In that case, hi g1 (P) >h g2 P) w E 
and hy py (P) <hi g2 (P?) for 0.9<spsl. The mission of Example 1.1 shows 
a similar behavior, as can be seen by comparing the values of 


"DUB 


and Tore 1=0,8 and m=20.9 in Table 5.1. 


"PUB-CC 
As far as the computational effort required to calculate bounds 
is concerned, only a few statements valid in general can be made. One 
: EZ 41 : 
is that for any system performing a phased mission, less ^ effort is 
required to compute the m phase reliability functions separately than 
to compute the reliability function of the equivalent system; another, 
that phase bounds are easier to calculate then phase reliability 
functions. Cut cancellation simplifies all reliability calculations, 
but requires computational effort to be performed. This may be minimal 
in some cases (in particular when phase minimal cut lower bounds are 
used because then the minimal cuts of all phases have to be known 


explicitly), but cannot be neglected totally. On the whole, however, 


it is felt that the benefits of cut cancellation outweigh its costs. 


, 
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The diagram below is an attempt to summarize the previous obser- 
vations. Its comparisons may not hold in all cases, but do indicate 
what is usually true. The symbol < stands for "requires less com- 


putational effort than." 


TT 


n NT "PRE=-CC * “PRE 


< 


"PUB-CC PUB 


< < < 


PPLB-CC PPLB PPRF-CC PPRF 


Figure 5.1. A comparison of the computational 
effort required to calculate bounds. 

5.4 AN ALGORITHM FOR THE "BEST" BOUND 

Trying to select the best bound from those presented in this 
chapter is a difficult problem whose solution depends on the circum- 
stances of each particular application and cannot be given in general. 
If one is interested in a conservative rather than an optimistic 
approximation, and if the system to be analyzed has components with 
uniformly high conditional reliabilities in all phases, then the quali- 
tative comparisons of the previous section and the numerical values 


of Example 5.1 suggest that is a good choice. 


PPLB-CC 
Since the above conditions are frequently encountered, and 
PPLB-CC hence might be used more often than other bounds, an algorithm 
for its computation is given below. This algorithm assumes that the 
survival function F, (t) = PIT >t], t20, is known for each component 


C,, k=l,...,n, that each phase configuration is represented by a 


k? 
block diagram or a fault tree, and that the duration of the phases and 


thus the times Eso SL. mare given: 
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Algorithm for Computing PPLB-CC' 
42 


la. and G=l,.. sh, compute Pkj from 
Pr = ERE A 
(2) For j-1,...,m, find the minimal cut sets of phase j from 
43 


the block diagram or the fault tree for that phase. 
(3) Perform cut cancellation according to the rule given in 
Section 4.2. 
(4) For j=l,...,m, denote the number of minimal cut sets 
remaining in phase j by K(j), and the i-th minimal 
cut set in that phase by Ki i-1,...,K(j). Then compute 


Pppg-cc From 


Tr TEO) 
PPLB-CC - Le 1 - Meer a Prada 
k ji 
The following example illustrates how the algorithm works. 
Example 5.2. Suppose that for the mission of Example 1.1, a 


general expression for the lower bound is wanted. Using 


PPLB-CC 
the algorithm described above, the following results are obtained: 
(2) The minimal cut sets are 
in phase l #{M,L}# {M,S} 
in phase 2 {F} #{H,M}# #{H,T}# {M,L} 
in phase 3 {F,M} {H,M} {H,T} 


(3) The cut sets marked #{ }# above are cancelled. 


(4) The minimal cut sets remaining are denoted by 


K^ IMS x CRUS Koz = {M,L} 
E {F,M}, Ko = {H,M}, Ky, = {H,T}, 
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and the bound PPLB-CC is given by 


Pppg-cc ^ E17 O76) (705,21 I17 Q 705,)] 
*[1- Q1.-o,5) (1-p, )) 1EL- Q 70,4) (1—0,4)] 


This concludes the discussion of bounds based on reliabilities 
directly. In the next chapter, a reliability transformation is pre- 
sented which permits the derivation of additional approximations and 


bounds. 
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6. HAZARD TRANSFORMS FOR PHASED MISSIONS 


Recently, Esary and Hayne [1973] extended the scope of application 
of a simple reliability calculus of Rubinstein [1961, 1965] to coherent 
systems. This calculus uses an approximate hazard transform and leads 
to conservative approximations to system reliability. Its potential 


for use in the phased mission problem is explored here. 


6.1 AN APPROXIMATE HAZARD TRANSFORM 
The hazard transform of a system with reliability function 
h(p,,-++>P,) is defined as 


H(u,,---,u) = -log hp] >+++>P,) = -log hf 1,..$e8 n), 


where u, = -log Pk is the component hazard of component C, having 


k 
reliability Py» k=1,...,n. Knowing the hazard transform of a system 


is equivalent to knowing its reliability function since 


AA EO, uL) E o HC-log Py»-* +» 108 PS). 


The assumption that components perform independently is implicit in the 
definition of a hazard function, just as it is in the definition of a 
reliability function. 

The approximate hazard transform H' considered by Esary and Hayne 
can be defined by the following rules; 


(1) For a system consisting of a single component C the 


Les 
approximate hazard transform is equal to the component hazard, 


i.e. 
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(2) For a system which is a combination of two modules (subsystems 


with disjoint sets of components) having approximate hazard 


transforms Hy and H5» the approximate hazard transform 
H' is 

H' = Hl + H, if the combination is series, 

H' = HH, if the combination is parallel. 


So far, the rules define the approximate hazard transform only for 
systems that can be formed by successive series and parallel combina- 
tions of subsystems which have no components in common, i.e. for the 
class of simple systems considered by Lomnicki [1973]. To extend the 
definition to systems which are coherent but not necessarily simple, 
a third rule is needed. This rule makes use of the fact that any 
coherent system can be represented in terms of its minimal cut sets. 
(3) For a coherent system with minimal cut sets SR 


whose approximate hazard transforms are Hi. H the 


1 
p? 


approximate hazard transform H' is 


to yt t t 
H Hy T H, Fau T Ho. 


Esary and Hayne E ded that the approximate hazard transform 
obtained in this way is conservative, i.e. indicates greater system 
hazard (less system reliability) than the exact transform. For further 
reference, this fact is noted as a theorem. 

Theorem 6.1. For a coherent system with reliability function h, 
hazard transform H, and approximate hazard transform H' obtained 
according to the rules above, H' > H, and consequently h' < h, where 


pt 
Rs e 2 5 lal 
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6.2 APPLICATION OF THE APPROXIMATE HAZARD TRANSFORM TO THE PHASED 
MISSION PROBLEM 


Several approximations to the mission reliability of a multi- 
phased system can be derived using the approximate hazard transform 
defined in the previous section. One of them is discussed here in 
detail. 

Suppose that cut cancellation has already been performed in a 
phased mission. Let N be the approximate hazard transform of the 
simplified configuration of phase j, j=l,...,m, and define an approxi- 


mate hazard transform for the mission, H', by 


t nog! t t 
16.2.1) H Hi I Ho grs Hi. 


Then h' given by 


-H! -(H! + q! ae 
H — (HI Rar des et Hr) 


(6.2.2) h'=e 2 


is a conservative approximation to the mission reliability p, as is 
proved in the following theoren. 

Theorem 6.2. For h' as given by (6.2.2) and p as given by 
RES ly or (3:34), . h' <p. 

Proof. Let Mee, zl m rhengh Deos from 
(6.2.1) and (6.2.2). Since the phase configurations are coherent, then 
h; = he, j=1,...,m, by Theorem 6.1. Therefore, Tu = TH. 
and the result follows from (5.1.5) and Theonem 5.2. O 

An algorithm for computing h' consists of the following steps, 


where the notation of Section 5.4 is used; 


(1) For k=1,...,n and j=l,...,m, "compute Us from 
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(2) For j=l,...,m, find the minimal cut sets of phase j 

from the block diagram or the fault tree for that phase. 
(3) Perform cut cancellation according to the rule of Section 4.2. 
(4) Compute the approximate hazard transform for the mission from 


m K(j) 


H' = u, , 
e 


(5) Compute the lower bound h' from 


A comparison of this algorithm with the one presented in Section 


5.4 indicates that the calculations of the bounds h' and PPLB-CC 


require about the same amount of effort. Both are conservative, but 


h' is less precise than as is established in Theorem 


PPLB-CC? 
6.3 below. It is therefore questionable from an applications point of 


view whether h' can replace as the "best" lower bound for 


PPLB-CC 
a phased mission. However, if all components of a system are assumed 

to have constant failure rates throughout each phase - as is often 

done for lack of better information about the distributions of the 
components! time to failures - the approximate hazard transform H' 

has the attractive feature that it is a polynomial in all of the phase 
durations. Thus it is well suited for parametric studies. An illustra- 
tion for this is given after the assertion about the relative precision 


pr. n' has been proved. 


ana err race 
1 . 

Theorem 6.3. For h' as given by (6.2.2), and Ppip-cc 28 

1 

given by (5.2.6), h' = PpLB-CC' 


Proof. It suffices to note that in the calculation of PpLB cc’ 


the exact reliability of each parallel subsystem corresponding to a 
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mínimal cut set is used, whereas in the case of h', as a consequence 
of Theorem 6.1, a conservative approximation to the reliability of each 
such subsystem is the basis for the calculation. The result then 
follows from the fact that all other steps of the computation are 
equivalent. o 

Example 6.1. Consider the mission of Example 1.1. Assume that 
the failure rate of component k in phase j is a constant DIE 
EFE DESM.S,T, 3J=1,2,3, land let a be the duration of phase j, 
j=1,2,3. Then from step (l) of the algorithm above, the component 


hazards are 


Urs = Lady er Nes E 


and the following general expression for the approximate hazard 


eM . + . e . 45 
transform of the mission is obtained from step (4) of the algorithm: 


d 


1 — 
E = Sal" 


+ (tpg dy tt pod) + Cy dy ttyody) dy Ey 94)) 


dı +r_.d.+tr,.d.) (r,,.d.+r,,.d.+tr...d.) 


+ ed red dd yd 9d +34 


d.+tr...d.tr d,+r,..d,+r 


t (ydi ydo tyda) Cyd tryd tryd) 


+ d,+r,. d +r d4) Cr d,+r..d,+r da). 


(ry d) god trs Dm TS 


Now suppose that the duration of phase 2, d is uncertain, and 


qe 


that a sensitivity analysis on it is desired. H' as a function of d, 


can be written as 
2 
t "S T X 


where 
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A d Fr d 


rd 
er 


+ d+ d,+r 


E 4H 343 y Hg 43) 


+ ( d. +r d) (x d_+r_..d.) 


ENIMS Hoe 3 
+ d 145443) pd) 477345) » 


b = rgy (lrudi tyda) 


zs r 4d,Tr, dtr, ,d,-r d4) 


ry? Gy Fy ty 343487191 873 


+ d.+r_.d.+r_-d.+r,..d.+tr...d.) 


Ed 


+ Xy 749 Cyd yda) 


C a r .Tr 


= Tyo 2)  F2"M2 m2 m0 * ya. p2* 


For a numerical illustration, assume that phase 1 lasts 30 minutes 
and phase 3 lasts 10 hours, and that thê, following failure rates (ir 


us are given: 


Component F H L M S T 


Phase 1 0.000 0.001 0.040 0.020 0.100 0.000 


Phase 2 0.020 0.003 0.010 0.006 - 0.020 
Phase 3 0.010 0.002 - 0.005 — 0.020 
Then 
a = 0.012030, 
b = 0.023333 hang s 
c = 0.000258 emm 


For various durations of phase 2 (in hours), the approximate hazard trans- 
form for the mission, H', and the lower bound on mission reliability 


h', both rounded to three decimals, are shown below. 
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10 


H' 


0.012 
0.036 
0.060 
0.084 
0.109 
0.135 
0.161 
0.188 
0.215 
0.243 


0.271 


39 


h' 


. 988 
En 
.942 
2919 
. 896 
.874 
oo 
‚829 
.806 
.784 


2763 0 





7. POSSIBLE EXTENSIONS AND REMAINING PROBLEMS 


It was shown in this thesis how, under suitable assumptions, the 
phased mission problem can be formulated mathematically and transformed 
into an equivalent single-phase problem, and how exact mission reliabili- 
ties and approximations to them can be computed. The assumptions made, 
however, may not always be satisfied by realistic systems and missions 
which have to be analyzed. In particular, components may not perform 
Pecerendent ly e failed components may be replaced, and the durations 
of the phases may not be known in advance. 

Systems with interdependent components have been studa but 
so far no generally valid methods to model them seem to be available. 
In certain situations an approach similar to the one described in 
Chapter 3, i.e. the transformation of a system with interdependent 
components into an equivalent system whose synthetic components perform 
independently, may be feasible. Another approach might make use of the 
fact that several theorems on which lower bounds are based remain valid 
when component performances are positively dependent in the sense of 
association. 

As far as a replacement of failed components is concerned, it is 
felt that this feature can be incorporated into the model without 
causing major problems. If replacement is instantaneous at failure, 
it might simply be considered in the component's time to failure dis- 
tribution; if replacement can occur only at the end of a phase, then 
the equivalent system may be modified to reflect this fact. 

Example 6.1 indicated how uncertainties in the duration of the 


phases can be dealt with if component failure rates are constant 
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throughout the phases. Under these circumstances, and if phase 
durations are assumed to be random, the mean of the approximate hazard 
transform for the mission can be found, even without complete knowledge 
of the phase durations' NEN. 2 

As a final comment on the phased mission problem, it should be 
pointed out that even if all the extensions mentioned above can be 
incorporated into a model, practical use of it can only be made if all 
the necessary inputs are available. These inputs, the component relia- 
bilities on one hand, and the functional organization of the system in 
the various phases of its mission on the other, are not always easy to 


obtain. 
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COMMENTS AND NOTES 


i This term is used by Barlow and Proschan [1965]. 


This definition of reliability is due to the Radio-Electronics 
Television Manufacturers Association [1955], as cited in Barlow and 
Proschan [1965], p. 6, and is widely accepted. 


Roughly, a system is coherent if its "performance is not impaired 
by an improvement in the performance of its components" [Esary and 
Marshall 1964, p. 459]. All two-terminal networks and all systems 
whose functional organization can be represented by a fault tree using 
AND and OR gates only are coherent. - Barlow and Proschan [1965] use 
the term "monotonic" instead, but "coherent" seems to be more widely 
accepted and will be used in this thesis. 


: This approach was used before by Mine [1959]. 
E Barlow and Proschan [1965], pp. 196f. 


"Roughly...a device has a life if it functions continuously until 
some time of failure, and remains failed thereafter." [Esary and 
Marshall 1964, p. ^59.] 


Among these are: components perform independently - components 
have exponential lives - only two states are recognized for components 
and systems. 


The method is described in Chapter 4. 


The manual section on phased missions is based on the work of C. 
Persels. 


Success paths and Muth's approach are briefly discussed in Section 
1564. 


a Cf. the definition given above in Note 6. 


12 ae . 2 ' 
In the military, for instance, a communication network, the power 


plant of a ship, and a mine are systems which may be required to perform 
phased missions. 


Apologies are extended for this example to all firemen and all 
chemical engineers. 
E Esary and Marshall [1964], Theorem 3.1, p. 461. 


E Muth [1964], p. 2. 


16 Rubin [1964], p. 263. 
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x Expressing the life length as a random variable also permits 


by the proper choice of its distribution function, taking into account 
the operating conditions (the environment) which the system encounters. 
18 "air a > : 

This is one of the classic assumptions mentioned before which are 
not very realistic but without which an exact reliability analysis is 
currently impossible. 

19 ! : A 

An exanple for a system which violates this assumption is an 
HF-communication network. Here the atmospheric conditions play an 
important factor in determining whether the system functions or not. 


RO A block diagram is a graphical model of the functional organiza- 
tion of components in a system. It provides a positive view of the 
system in that it indicates the combinations of functioning components 
which guarantee the functioning of the system. 

21 > ; 

A fault tree is also a graphical model of the functional organi- 
zation of a system, but in contrast to a block diagram it provides a 
negative view of the system because it indicates which combination of 
failed components cause failure of the system. 

22 ; ; 

Almost all engineering system are coherent. A ship with two 
captains could be an example for a system which is not coherent. 
Generally, an EXCLUSIVE OR gate in a fault tree indicates a non-coherent 
system. 


= This follows immediately from the definition; cf. Esary and 
Eroscmm [1963] ,=p2 192. 


2 Birnbaum, Esary, and Saunders [1961], pp. 66f. 


> Esary and Marshall [1964], Theorem 3.1, p. 461. 


E Cf. Figure 3.1. Component M, for instance, is common to all 
three subsystens. 

e Such computational methods are, for instance, the inclusion- 
exclusion algorithm and pivotal decomposition. 
= Cf. Fussell and Vesely [1972] and Vesely and Narum [1970] who 
describe programs for the analysis of fault trees. 


: Barlow and Proschan [197 ] Chapter 1, or Birnbaum, Esary, and 
Saunders [1961], Theorem 2.7.7.1, p. 65. 

30 Note, however, that as a result of cut cancellation the relia- 
bility of each phase configuration considered by itself increases. 


L Cf. Examples 1.2 and 3.1 and the paragraphs preceding them. 


52 l 
The subscript PRF is used mnemonically to indicate that these 


approximations are based on the phase reliability functions. 


63 





33 


These are discussed, for instance, in Barlow and Proschan 
[197_], Chapter 2, and in Esary, Proschan, and Walkup [1967]. From 
the latter paper, Theorem 2.1, Theorem 4.1, and Property (P4) are needed 
in this proof. 


Association is a special kind of positive dependence among 
several random variables. Performance state indicator variables are 
associated if the structure functions of any two coherent systems 
built from their corresponding components are positively correlated. 

95 . "NE. ’ 

The added subscript CC indicates that cut cancellation has 

been performed. 


22 Cf. the second part of the proof of Theorem 5.1. 


ui A detailed discussion of these bounds and proofs are given in 
Esary and Proschan [1963], Section 4, pp. 194-197. 

£ The subscript PUB stands for phase upper bounds, and the sub- 
script PLB for phase lower bounds. 


33 The abbreviation 0.0°64 stands for 0.000064. 


E It is assumed here that all conditional component phase relia- 
bilities are strictly positive and less than one. 

4 ; 

; Terms which indicate a comparison are used here in the weak 
Sense, i.e. "less" stands for not more”. 
a Step (1) can be omitted if a general expression for the bound 
rather than a numerical value for it is needed. 

o There exist computer programs which can perform this step. 
MOCUS, for instance, developed by Fussell, Henry, and Marshall [1974], 
is a program that finds the minimal cut sets of a system from its 
fault tree. 


4 Esar aod Hayne Tov rheoBen 205 Sp la: 
> Steps (2) and (3) of the algorithm are the same as in Example 
5.2 and not repeated here. 


Interdependence among components may be caused, for instance, 
by common manufacturing processes or common operating conditions, or 
because the failure of one component increases the load on its neighbor. 


v For instance by Esary and Marshall [1974]. 


B Cie Remark 2.4 in Esarywand Hayne |1973); p. I. 


Equation (6.2.3) shows that for the particular mission considered 


E H"(D,) depends only on the first two moments of the random variable 
D e 
2 
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